* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Wed, Mar 4, 2015 at 05:56:25PM -0800, Josh Berkus wrote:
> > So, are we more worried about attackers getting a copy of pg_authid, or
> > sniffing the hash on the wire?
>
> Both. Stephen is more worried about pg_authid, but I am more worried
> about sniffing.
I'm also worried about both, but if the admin is worried about sniffing
in their environment, they're much more likely to use TLS than to set up
client side certificates, kerberos, or some other strong auth mechanism,
simply because TLS is pretty darn easy to get working and distros set it
up for you by default.
Thanks,
Stephen